One Man's Quest To Foil Hackers

For Robert Carr, founder and chief executive of
Heartland Payment Systems,
the horror is still fresh. In December 2007 a group of wily hackers broke into Heartland's servers and accessed what the U.S. government estimates to be 130 million credit card numbers. Heartland makes card-swipe machines and software that store the 15-digit numbers that Visa and
MasterCard
use to verify transactions--a business, in other words, that depends on bulletproof computer networks. The announcement of the breach (on the morning of Barack Obama's inauguration) sent Heartland's stock on a two-month nosedive, to $3.60 from $18. Resulting settlements to credit card companies plus legal fees: $139 million (it recovered $31 million from its insurance carrier). "The worst thing that can happen to a processing company is to get breached," says Carr, 64. "It looked like there was a good possibility we wouldn't survive."

Survive it has. Headquartered in Princeton, N.J., Heartland acts as a middleman for 250,000 merchants, many of them small businesses. Say you spend $100 on a pair of shoes. The merchant might keep $97.50, and the rest would go to the issuing bank ($1.65); the processor, Heartland (50 cents); and Visa or MasterCard (35 cents). (Heartland has a different deal with Amex and Discover.) While Heartland lost $55 million, pretax, on $1.7 billion in revenue (from $70 billion in charge volume) for the 12 months ended Mar. 31, Robert Dodd, an analyst with Morgan Keegan, thinks the company could easily reach pre-breach 2008 levels next year--that is, earning $70 million pretax or more--if consumer spending and market share pick up. The stock has rebounded to pre-hack levels.

Heartland forwards roughly 70% of its revenue toward interchange fees--paid to banks that issue the credit and debit cards, whose rates are set by Visa and MasterCard, based on the size of the merchant and the kind of transaction.

Now Carr aims to make sure what happened to him doesn't put his customers out of business. In a 2009 study research firm Javelin Strategy estimated that identity theft costs credit card companies, payment processors, merchants and consumers $54 billion annually.

In May Heartland began rolling out a hardware-software package called E3, which scrambles credit card numbers into gibberish as soon as a card is swiped and maintains the encryption as the data sloshes through the network. Cost to merchants: $269 for the point-of-sale machine and $58 for the magnetic card reader. The system (which Carr dubbed his "Tylenol tamper-resistant cap") works only with Heartland processing hardware; the company guarantees to reimburse the merchant for any fines and the cost of any forensic investigation if its system is breached. It is backstopped in this promise by its own self-insurance.

Carr is also taking the pulpit to browbeat the credit card companies into forcing their other credit card processors and merchants to fortify their own defenses beyond run-of-the-mill firewalls and updated antivirus software. The National Retail Federation estimates merchants spent $1 billion in 2009 on security audits. Heartland itself passed one of these--not that it meant much. "These audits provide a false sense of security," says Carr, who for the last year has urged his competitors (as they feasted on his disenchanted customers) to join an industry group that would share concerns with one another and the government. "Before this you might hear about a breach six months after it occurred," says John Kirkpatrick, chief information officer at TransFirst, a payment processor in Hauppauge, N.Y. "Now we share information instantaneously."

A potential weakness lies in the fact that data must be decrypted to move from Heartland's system to Visa and MasterCard, as credit card companies accept only unencrypted data. No telling if that link (which might be over a telecom connection across 2,000 or so miles) can be breached. Meanwhile, Heartland's competitors are working to perfect a process called tokenization, which allows credit card numbers to move through networks using a key that has no mathematical relationship to the credit card number. Carr is counting on early adoption of E3 to win the fight. "I've never seen a breached company use a security incident so aggressively," says Avivah Litan, an analyst with Gartner. "It's self-serving on the one hand, but it's been good for raising security awareness."